Commanders urge Pentagon to counter growing threat of cyber attacks on industrial controllers

icsBy Bill Gertz 

Two American military commanders are sounding the alarm on the growing threat to U.S. national security posed by cyber attacks on critical industrial control systems. 

Northern Command chief Adm. William Gortney and Pacific Command’s Adm. Harry Harris urged Defense Secretary Ash Carter to step up efforts to deal with the danger. 

“We respectfully request your assistance in providing focus and visibility on an emerging threat that we believe will have serious consequences on our ability to execute assigned missions if not addressed – cyber security of [Defense Department] critical infrastructure industrial control systems,” the admirals warned in a Feb. 11 letter. 

The commanders, who both are charged with defending U.S. territory, said the Department of Homeland Security monitored a seven-fold increase in cyber attacks on critical infrastructure between 2010 and 2015, including digital strikes against platform information technology, industrial control systems, and supervisory control and data acquisition systems. 

Platform information technology is a security term for essential computer software and hardware that must be protected for national security reasons, including industrial control systems and critical infrastructure control networks, such as smart grid technology for power grids. 

The software is used to control the electric power grid as well as networks used to control water, fuel and other critical infrastructure controllers. 

“Many nefarious cyber payloads—Shamoon, Shodan, Havex and BlackEnrgy – and emerging ones have the potential to debilitate our installations’ critical infrastructure,” the admirals warned. 

The four types of malware identified by the commanders are sophisticated technologies used by foreign adversaries that could attack, disable and destroy critical U.S. infrastructures. 

BlackEnrgy has been linked by security researchers to Russian government cyber attacks, including recent cyber attacks aimed at Ukraine’s electrical power networks. 

Shamoon is a sophisticated malware that has been used against oil and gas infrastructure, including the cyber attack on Saudi Aramco that damaged 30,000 computers. That 2012 attack was linked to Iranian hackers. 

Shodan is a search engine gathers masses of data from the Internet, including controllers used for critical industrial systems. The software uses artificial intelligence to search out all Internet-linked devices. It has reached out to 100 million devices since it was first introduced in the 2009. Foreign adversaries are believed to be using Shodan for reconnaissance operations against U.S. infrastructure, in preparation for future cyber attacks. 

Havex is a malware configured as a Remote Access Trojan that has been detected by security researchers targeting industrial control networks. 

Havex has been used to scan local area networks for devices to Open Platform Communications, a standard used to send commands between SCADA applications and process control hardware.

As military commanders with homeland defense responsibilities concerned about the growth of the cyber-linked world, Harris and Gortney called on Carter to do more against cyber threats to critical infrastructure. Copies of the letter, first disclosed by Federal Computer Week, were also sent to senior military and security officials.

The letter is an unusual appeal from the military about one of the most important national security issues facing the country. It reflects the growing concern within the military about the danger of cyber attacks that could cripple the country in both peace and wartime – often without fully knowing the origin of the attack.

The main threat to infrastructure comes from Russia and China and both countries’ intelligence services have been detected penetrating U.S. industrial control networks in reconnaissance operations – what the military refers to as preparation of the battle space for future attacks.

Currently the 16 critical U.S. infrastructures are vulnerable to cyber attack from China and Russia. But the most critical infrastructure of all is the electrical grid, the backbone upon which all other interconnected networks and systems rely.

The problem is not new. Reports from 2009 revealed that both the Chinese and Russian have penetrated critical infrastructure. “The Chinese have attempted to map our infrastructure, such as the electrical grid. So have the Russians,” a senior intelligence official told the Wall Street Journal that year.

The cyber attacks on grid networks involve the planting of clandestine “sleeper agent” software that remains dormant and undetectable in peacetime. In wartime, the software is triggered remotely, normally in the early stages of a conflict, to bring down systems, in the case of electric grid, to turn out the lights – and every thing else that relies on electricity and lacks backup power sources.

Military planners in recent years have begun war-gaming future conflicts involving cyber attacks on critical infrastructure. The results are said to have been alarming. Targeted sophisticated cyber strikes to shut down power and other infrastructures can be carried out with devastating impact, and in coordinated stages and campaigns designed to force the quick defeat of the United States in a war.

Solutions are being worked on, such as developing new or redundant electrical power sources, stockpiling electrical transformers that are difficult to replace along with other measures.

Pentagon researchers recently testified to Congress that exotic ways to generate electricity are being studied, such as creating microscopic organisms that consume metal and give off electricity

The massive efforts to gather intelligence on the U.S. critical infrastructures by both China and Russia has also been underway for more than a decade and little has been done to counter or dissuade the spying.

For example, China’s hacking of the U.S. Transportation Command discovered several years ago has focused largely on how the Chinese might use the information to disrupt the critical logistics supply chain that is the strategic power of U.S. global military operations. Analysts say the intelligence from Transcom also is useful for the People’s Liberation Army to prepare cyber pre-conflict cyber attacks on electrical grids in areas used in Transcom’s operations, further compounding the difficulty of supplying military forces.

Unsaid by Gortney and Harris in the letter is the danger of cyber attacks on the infrastructure used by military bases, weapons systems and command and control.

On Russian SCADA operations, Director of National Intelligence James Clapper disclosed in September that Russia was working to remotely access industrial control systems used in U.S. critical infrastructures.

“Unknown Russian actors successfully compromised the product supply chains of at least three [industrial control system] vendors so that customers downloaded malicious software designed to facilitate exploitation directly from the vendors’ websites along with legitimate software update,” Clapper stated in congressional testimony.

The malicious software used by the Russians in critical infrastructure attacks was identified as BlackEngry, the same malware detected in recent efforts by Moscow to turn out the power in Ukraine.

Critical infrastructure cyber attacks are among the most significant dangers facing the nation as the threats from both China and Russia continue to advance. As Gortney and Harris note, more work needs to be done to prepare for and counter the threat from cyber attacks to infrastructure, including developing cyber deterrence with demonstrations of U.S. cyber warfare power. So far, President Obama and his administration have shown no inclination to use American cyber power to develop such deterrence.

— Feb. 28, 2016